Windows Internals
beginner

Authentication & logon

How Windows turns credentials into authenticated sessions, security contexts, and usable access tokens.

Guided paths in this branch

Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Windows authentication architecture

learn.microsoft.com

Microsoft Learn

Credentials processes in Windows authentication

learn.microsoft.com

Why it matters

Authentication is where identity enters the system. It explains why tokens exist, why LSASS matters, and why logs and sessions reflect specific users and services.

Mental model

Logon is a pipeline: credentials are gathered, an authentication package validates them, Windows creates a logon session, and the resulting security context becomes a token.

Windows building blocks

Names and paths you can look for in Task Manager, Explorer, or documentation.

  • Processlsass.exe

    Hosts LSA and authentication packages

Go one level deeper

Extra detail for readers who want more precision before opening a child topic.

  • Credential Guard moves secrets into an isolated VTL when enabled.
  • CloudAP and other packages extend AAD/Windows Hello flows.

How it works

  1. 1Winlogon and related UI components gather or broker credentials.
  2. 2LSASS chooses or hosts authentication packages such as Kerberos or NTLM.
  3. 3On success, Windows creates logon state and tokens that later processes and threads use.

Key terms

LSASS
Local Security Authority Subsystem Service, the protected process that enforces local security policy and authentication.
SAM
Security Accounts Manager, the local account database for machine-local identities.
Authentication package
A protocol or provider such as Kerberos or NTLM used to validate identity.

Signing in and opening a network share later

The initial logon produces security context and cached credential material that later let Windows access resources without asking for the password every time.

Common misconception

Authentication is not the same as authorization. Logon proves identity; later access checks still decide what that identity may actually do.

Go deeper

Winlogon, LogonUI, and session sign-in

The visible and semi-visible path from secure attention to a fully signed-in session.

LSASS, SAM, and local security policy

The protected security process and data stores behind local accounts and policy decisions.

Kerberos, NTLM, and authentication packages

How Windows chooses and uses protocol packages to validate identities.

CNG, Schannel & crypto plumbing

How Windows centralizes algorithms, keys, and TLS for services and applications.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

Winlogon, LogonUI, and session sign-in

The visible and semi-visible path from secure attention to a fully signed-in session.

Next step in your guided path

intermediate

LSASS, SAM, and local security policy

The protected security process and data stores behind local accounts and policy decisions.

Go deeper in this branch

intermediate

Kerberos, NTLM, and authentication packages

How Windows chooses and uses protocol packages to validate identities.

Go deeper in this branch

Related topics

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Session Manager, Winlogon, and the shell

The early user-mode path from system process creation to an interactive desktop.

Providers & channels

Who emits events and where those records are routed inside Windows logging.

Previous

Named pipes

A durable named endpoint for client/server communication on the same machine or across the network.

Next

Winlogon, LogonUI, and session sign-in

The visible and semi-visible path from secure attention to a fully signed-in session.